New to Cisco Zone Based (Policy) Firewall?

Author: Babul A. Mukherjee

6 Mar

Cisco IOS routers have a new firewall configuration method. Ok so its not so new (Feb 2006), but I tend to let drastic new technologies like this “cook” for a while before I’ll partake. Plus I finally got a handle on the Inspect/CBAC way of doing things!! BTW the “old” method is now called the IOS Classic Firewall

The new method is called Zone Based Firewall, or Zone Based Policy Firewall if you want, and definitely improves the simplicity of configuring a firewall policy.

If you’re used to working with the PIX/ASA firewalls, the learning curve is not as high because they work off the concepts of Zones also.

This document shows a very simple example of what the new ZBF configuration looks like. They also provide some performance numbers, but what is absent is a comparison of performance from the previous Inspect/CBAC method.

That all being said SDM 2.5 builds ZBF configurations by default. If you have an existing Inspect/CBAC configuration however SDM will continue to support it (at least for now).

I’ll be honest, when I first saw SDM build a ZBF firewall configuration I immediately pulled it out, put in my own Inspect/CBAC configuration, and then went on happily.

But times are changing, and if you need to firewall more than two interfaces, with varying degrees of lock-down, the ZBF truly looks like the way to go. Managing multiple ACL’s and Inspect/CBAC configurations gets really tedious after a while, which makes it easy to screw something up inadvertently.

Here are a few other overview links to get you started: